Posted
by
samzenpuson Thursday July 02, 2009 @10:03AM
from the wasted-days-and-wasted-art dept.

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

It all depends on if your inprivate browser history changes the color of links when they are displayed (or in general obey the css style sheets for visited links). Perhaps someone with IE8 can test it out for us [I lack access to a windows machine]?

Unless you want to browse by IP address there's no way to avoid DNS lookups when you're browsing, no matter what the browser does or doesn't store. There's also no way for the browser to disable that caching -- it's an OS-level function (in all OSes, not just OS X), not a browser feature.

It's silly anyway, because if someone is trying to track your DNS lookups it would likely be easier to simply listen for them on the network, or to guess against your network DNS cache, rather than to interface with your lo

I'm using FF 3.0.11 on Jaunty with history disabled, and it did not get anything from my browser even though the "recently closed tabs" menu has many entries in it. All i got was a black square. I also had to tell NoScript to allow their domain. This made me feel better about my paranoid ways!

I've been doing this with firefox for years. Just go to the privacy section of your options/preferences, and disable history, disable cookies, and tell it to clear your history every time you leave. Really I just have it set for no password/form/history saved, and only accept first party cookies until I close firefox, except for the white list I have so I don't have to keep on signing in to my usual sites.

So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.

So just disable your browser history if you are that paranoid about it. It only takes a few clicks in any major browser. Plus if you for some reason don't want to do that, most browsers now have a private mode that doesn't record those sites in the history.

I think the point can be explained this way: "who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?" Speaking generally about all user data and all remote IP addresses, all remote hosts are on a need-to-know basis and 99.999% of the time, they don't need to know. They particularly don't need to know without prompting the user and asking "do you want to give out this information?" with that question defaulting to "No" and a box, checked by default, which says "Remember this preference".

You can subtly dismiss it as paranoia if you like. That doesn't excuse poor design. Also, globally disabling the browser history would deny the remote Web site access to the browser's history, sure, but it would also deprive the user of this local feature. There should be a more reasonable alternative to either "lose this feature" or "make this feature available to anyone who asks with no regard for privacy." Apparently NoScript provides such an alternative.

who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?

Changing the color of a link you've visited has been around forever. Changing the style of a link you've visited to one that can send information back to the server eg "background-image:url(/visited.pl?site=slashdot)", that's newer.

who's the numbnuts who thought it would be a great idea to make this information available to anyone who asks for it?

Changing the color of a link you've visited has been around forever. Changing the style of a link you've visited to one that can send information back to the server eg "background-image:url(/visited.pl?site=slashdot)", that's newer.

Sorry but I don't think I fully understand how that relates to this story. Would you elaborate please? What you describe there sounds like a re-implementation of so-called "http ping."

Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already. Perhaps the best compromise would be to allow changes to link style only within the domain of the page that's attempting to set that style. But it's still a major backward step in usability. The other option might be to disable link styles for pages that have greater than a certain number of links (say 50).

That would make it harder, but not impossible. If you have a background image for each link style, and give that background image a unique (one-time generated) name, then the server would know when that image had been pulled, and hence which links had been visited.

Ooooh, I just re-read your post and see what you mean. Sorry. I still think there could be ways of doing it though, like making the images different sizes and then seeing what size the containing object has become - in fact this would work by using fonts of different sizes. I think once you start trying to prevent this, you pull on one little thread and the whole CSS/DOM thing unravels.

I thought of another way to defeat your workaround - make the links very different font sizes then read the size of the containing object. I think, ultimately, it would be very difficult to allow any kind of introspection whilst at the same time protecting completely against this vulnerability.

Because that's how this vulnerability works. It doesn't really sniff your browser history - as such - what it does it it has a huge page full of popular websites, displays them as links (invisible) and sees which links change colour. There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already.

The Web page (HTML, Javascript code,...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links. The feedback is actually breaking the sandbox principle.

I actually think that the current direction to "the browser is the OS (or even worse, the Flash player in your browser is the OS)" is a security nightmare.

I think there would always be a way round this. I suspect there would be a clever computational way of benchmarking the rendering engine and then creating images of different sizes on-the-fly in a complex layout and finding out which combinations were rendered. Sounds complex, but with a little thought I think there will always be a workaround.

The Web page (HTML, Javascript code,...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links.

So say I make my:visited links twice as tall as my regular links. Are you saying JavaScript shouldn't be able to read the height of the element? That would break all scripts that position anything. Once I can read it with JavaScript, I can always send it back home (e.g., via AJAX, add an image or iframe with a magic URL the browser will load, . ..).

The only way I see to fix this would be to sharply limit the properties that can be set based on:visited, to things like color and background-image; fetc

The Web page (HTML, Javascript code,...) should not be able to detect such differences and be able to report them back home; it's OK to tell the browser how to render visited links, but not to get the feedback by the browser how it rendered which links.

So say I make my:visited links twice as tall as my regular links. Are you saying JavaScript shouldn't be able to read the height of the element? That would break all scripts that position anything. Once I can read it with JavaScript, I can always send it back home (e.g., via AJAX, add an image or iframe with a magic URL the browser will load, . ..).

You are completely right.

The only way I see to fix this would be to sharply limit the properties that can be set based on:visited, to things like color and background-image; fetch background images for:visited links even if they aren't visited and the image won't be used; and lie to script when it asks about the color of a visited link (by pretending it's not visited in all cases). You can't even allow things like font-weight to be set: anything that affects sizes is going to be impossible to hide from script.

Good idea making:visited very restricted.

Or you could, you know, not worry that random sites can figure out that omg you visit Slashdot (very inefficiently, by the way). That's the tactic I'm taking, personally.

Here, I do not agere at all. This is a privacy issue. And a privacy issue can become very fast a security issue (phishing). And, even if is not phishing, I do not want/. or any other page to let find out what I looked at before. Of course, for tracking sites this is a very cool possibility to get more information from you (and to earn more dollars with this information). Your tactic may work for you, but for most users it's a privacy n

Here, I do not agere at all. This is a privacy issue. And a privacy issue can become very fast a security issue (phishing). And, even if is not phishing, I do not want/. or any other page to let find out what I looked at before. Of course, for tracking sites this is a very cool possibility to get more information from you (and to earn more dollars with this information). Your tactic may work for you, but for most users it's a privacy nightmare. And you don't need to be paranoiac...

I strongly suspect that most users don't really care that much. And I don't think it's very worrisome even if you're concerned about privacy. The concept has been public for eight years now, but there's not a single attack that's ever been identified in the wild, nor is there any indication that one is likely anytime soon.

It's a complicated and slow technique that gets you very little useful information. Phishers could (and do) more profitably spending their time trying to get more people to visit thei

"There's no easy workaround that will both allow you to have a history, and allow web pages to display something different (e.g. link colour / style) for pages that you have visited already."

Wait a minute, you could just make it work like it's SUPPOSED to. The page says "hey, can you make any visited links a different colour?" and my browser, if I say so, displays those links to me in a different colour.

If for some reason the web server wants to know what's happening on my end (say, it wants to do some web

Or another method, don't allow the javascript to see what color the link is. That might break some stuff.

I seriously cannot think of any Web site that would break without this functionality. Though, I may be biased as I have been using NoScript for a long time now and think that default-deny is a great idea. As in, it's borderline negligence that all browsers don't have something like NoScript built in as a standard feature.

Personally I think seeing the color of the link is likely to be a frivolous/cosmetic feature of dubious utility. But let's just assume for the sake of argument that it's a critical fe

It doesn't need to be able to transmit this data back to the server, but it's extremely difficult to get it to not transmit it back to the server, if you are allowing at least something to be transmitted back to the server. Say you didn't want the size of an element transmitted back to the server. Well, you'd have to track every variable you assigned it to, and track every variable those were assigned, appended, or encoded to to ensure that none of that data in any way made it out to a server anywhere. It'

Whether or not you can *read* the history of a browser is irrelevant if you want to know whether or not a user has visited a specific site. In that case you can simply create a page that will set appropriate CSS rules to make the browser try to load a specific background image for visited URL's for each site you want to check for. Then when the user loads your page, you'll get a barrage of what you call http pings, and all you need to do is collate that information and you know which of the sites you care about that the user has visited recently.

It's less invasive than being able to wholesale dump the browser history (you don't know when the sites were visited, for example), but protecting against it also means disabling functionality (you'd need to prevent an app from being able to tell whether or not a link on it's own page has been clicked via CSS rules or other means, which means either disabling the distinction between visited or not completely or disabling reading back style information and/or preventing setting CSS rules that trigger loading of external resources).

It can also be done using CSS and then grepping accesslog. NoScript will not help you there.

That could be easily circumvented if browsers just fetched the image unconditionally for:visited. The script methods are impossible to stop without locking down what properties are valid to use for:visited.

Both use the same overall technique, which is that browsers display visited links differently to unvisited links. The JS implementation trawls a set of links looking for particular markers in the font colour or size, and the CSS implementation uses "a:visited {background-image:...}" to trick the browser into telling the server which links are visited and which are not.

The Link Status extension for FF3.5 can disable the:visited pseudo-class, preventing both methods from working.

This methodology is actually quite old. It takes advantage of the CSS a:visited tag. Imagine making a:visited have a width of 5 and A have a width of 100. Drop another element right next to it and then after the page loads, check to see the location of that second element. Even if the browser attempts to block JS from accessing the style applied to the visited link, it can't keep you from accessing everything else on the page. Voila, by injecting a lot of links onto the page, you can find out where a person has been.

This is particularly dangerous because it can make Phishing very powerful. Imagine creating a resource that collects email addresses, but on that same page running this script to check the login pages of major banks. Then, you can send out targeted emails to people who you know have bank accounts at particular providers.

It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.

Can we please just have something that doesn't give up our privacy every three seconds? If you like having a browser history or enjoy the benefits of javascript, you're screwed. The only answer is to disable one or both of those.

Of course there is no reason this is still not fixed (by being able to disable a:visited style)

If the issue were so simple, why has no major browser implemented a proper fix for this yet, despite the fact that we've known about the issue for nine years [mozilla.org] ?

A:visited is very useful to the user in some circumstances, so it's unacceptable to turn it off for every user in every circumstance. Firefox 3.5 added a hidden preference [squarefree.com] in case some users want to turn it on sometimes, but that solution doesn't work fo

No. It was able to sniff my history and I'm running Safari 4.0.1 (5530.18).
This has more to do with JavaScript and CSS breaking the fundamental user model of the web. It's not a problem with any particular browser, it's the web standard that is flawed. As we move toward better DOM, JavaScript and web apps, expect this kind of stuff even more.

Granted, some of you are concerned about people finding out the sites you visit, but what about a real world problem (or two)?

Some time back, there was an attack that threw a phony dialog pop-up saying that your timeout had been expired at your bank site. Combine that with being able to see *what* bank's site (and whether or not you have been at it recently). This could even be injected through a compromised ad-server system or the like. Maybe you don't even have to visit my site. There's some moving part

I want to browse "safely"; protection against most XSS and sh1t like scripts reading my browser history, etc. However, I want the sites that I visit to "work" at the same time. Ya, NoScript is great, but with sites globally disallowed, the Internets are useless.

Can anyone offer some suggestions to reasonably lock down FF where a balance is struck between security and usability??

IMO people freaking out about privacy is just a way for people to feel important.

How interesting. Now will you please include here for public scrutiny your real name, address, phone number as well as your social security number and the last 500 sites you have visited, the last 100 books you read, a disclosure of all the women/men you've slept with, your medical conditions, all the drugs you've taken (legal and not), all the times and locations you've perpetrated any crime including traffic or tax violation

I turned history off a long time ago. I don't ever use it. With the number of sites I visit in a day, I can't every find anything in there anyway, so no point leaving it around for others to stumble upon.